Come To Your Senses Already!

When it comes to cybersecurity, few things can be more perilous than to
be asleep at the wheel. Every day, a great number of new vulnerabilities
appear. In 2020, for example, there was apparently an average of 50 per
day.
However, patches continually emerge to close them. The problem arrives
when people fail to consider them, thus increasing their risk of getting
screwed. It is not uncommon to see a person or firm who inadvertently
falls asleep and ends up losing in this field. But the most peculiar of
all is that now that loss can also be provoked by a nightmare.

What kind of nightmare are we referring to?

About two months ago, Microsoft warned about and released an out-of-band
patch (i.e., a fix
published
at a time other than the regular release time) for PrintNightmare, a
security flaw. This bug that initially seemed to involve two
vulnerabilities,
CVE-2021-34527
and
CVE-2021-1675,
allows attackers to take control of PCs. The issue lies specifically in
the Windows Print
Spooler
(spoolsv.exe), a printing management service “enabled by
default
in all Windows clients and servers.” As long as that first patch and the
subsequent ones are not applied to the client
systems
that keep the service active, attackers will have code to exploit.

In general, we can understand PrintNightmare as a remote code
execution
(RCE) vulnerability based on operations improperly performed with
privileged files by the mentioned Windows service. Therefore, attackers
exploiting such a flaw can execute malicious
code
with system privileges inside the target device without physical access.
Moreover, they can install software, steal, modify or remove
information, or “create new accounts with full user rights,” according
to
Microsoft.

As Cimpanu
commented
for The Record in late June, a part of PrintNightmare (at least that one
with ID 1675) was at that time the latest of many Print Spooler-related
findings. It turns out that this bug had been discovered earlier this
year by several researchers. Microsoft already had the patch for all its
users to update their systems. However, the snag arose when supposedly
by an “accident,” technical details of the bug and a
proof-of-concept
exploit ended up being shared on GitHub by analysts from a Chinese
security firm. This information was online for just a few hours, but it
was enough to be cloned by different users. From there, it reappeared
later in the public domain.

Since then, it was known that this vulnerability could affect all
versions of the Windows operating system, even those now rarely used,
such as Vista and XP. The nightmare started to get darker when several
researchers reported that the patch delivered by Microsoft was
insufficient. Apparently, it only repaired that “part” 1675
(privilege
escalation
vulnerability) but not “part” 34527 (RCE vulnerability), both of which
were initially grouped as if they were a single security flaw. Hence,
Microsoft requested users to disable the service, “especially on
Windows
servers
running as domain controllers from where attackers can pivot to entire
internal networks.” Days later, in early July, the second patch was
released, surprisingly even for
Windows 7,
which had lost general support more than a year ago. Microsoft
recommended its installation asap.

After Microsoft deployed patches for other versions of Windows (printer
driver installation
restrictions
were becoming manifest), there were
complaints
that they did not provide sufficient protection. Ideas from researchers
began to be made public about how the patches Microsoft had already
submitted to close PrintNightmare could be bypassed. It was not until
the first half of this month that authors like Todd from
SecureWorld
were able to say something like the following: “Now,
Microsoft
has finally fixed the vulnerability.”

At first, it was curious to see that the security flaw Todd referred to
in his post as PrintNightmare had been
CVE-2021-36958,
a different ID than those we saw above. However, Microsoft recently
reported
that there are really several vulnerabilities that together receive that
name. (Today, it seems, they are
about 10.)
Another, for example, is the
CVE-2021-34481.
It was in relation to this design flaw that Microsoft exposed its new
solution
approach
on August 10. It is about changing the default behavior of the Windows
Point and
Print
feature. In a nutshell, as Cimpanu
said,
“While until now, any user could add a new printer to a Windows
computer, [from now on], only admin users will be able to add or
update a printer with drivers from a remote print server.”

Now ransomware weaponized with the nightmare?

Despite all the effort, the nightmare cannot come to an end as long as
many remain asleep. Meanwhile, others take advantage of it. More than a
month ago, Kaspersky pointed
out
that cybercriminals could use PrintNightmare to carry out ransomware
attacks. Well, that’s indeed what has happened. Since
mid-July, the group of malicious hackers behind the Magniber
ransomware
is leveraging this
bug
(especially 34527) to breach Windows systems, mainly in South
Korea.

According to Palmer in
ZDNet,
another group that has begun to attack taking quick advantage of
PrintNightmare is Vice Society, which appeared recently in June. They
use “double extortion attacks, stealing data from victims and
threatening to publish it if the ransom isn’t paid.” Apparently, their
victims include small and medium-sized organizations, mainly educational
institutions.

Certainly, these are not the only threat actors resorting to the
nightmare for their benefit. And, no doubt, the number of ransomware
groups seeking to infect unpatched systems is likely to grow soon. At
present, what we must do to avoid this nightmare is to wake up and
apply all available patches as soon as possible. Individuals and
organizations must always stay vigilant and up-to-date with Windows
security updates to reduce critical risks and prevent falling victim to
harmful attacks.

From Fluid Attacks, we invite you to remember that these are just a
few vulnerabilities that may be identified within your systems. If you
want to discover all the security flaws that, if exploited, could lead
your company to catastrophe, do not hesitate to contact
us.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/printnightmare/